CVE-2025-24893

CVSS v3.1

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 15.10.11 XWiki versions prior to 16.4.1 XWiki versions prior to 16.5.0RC1

Description XWiki Platform is susceptible to a remote code execution (RCE) vulnerability. An unauthenticated attacker can execute arbitrary code by sending a specially crafted request to the

SolrSearch

endpoint. The vulnerability stems from improper handling of user-supplied input within the

SolrSearchMacros

component, specifically failing to sanitize RSS feed input. This allows the injection and execution of Groovy code. The RondoDox botnet has been observed actively exploiting this vulnerability to deploy cryptocurrency miners and establish remote shells. Numerous reports indicate widespread exploitation, with over 1,200 exposed instances identified.

API Endpoint:

/xwiki/bin/get/Main/SolrSearch

Vulnerable Parameter:

text

Recommendations XWiki versions prior to 15.10.11: Upgrade to version 15.10.11 or later. XWiki versions prior to 16.4.1: Upgrade to version 16.4.1 or later. XWiki versions prior to 16.5.0RC1: Upgrade to version 16.5.0RC1 or later. As a workaround, edit

Main.SolrSearchMacros

SolrSearchMacros.xml

on line 955 to match the

rawResponse

macro in

macros.vm#L2824

with a content type of

application/xml

Exploit

Fix

LPE

RCE

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-95

Related Identifiers

BDU:2025-01880

CVE-2025-24893

GHSA-RR6P-3PFG-562J

Affected Products

Xwiki Platform

CVE-2025-24893

Weakness Enumeration

Related Identifiers

Affected Products

References · 109